Additional Materials:

Contact:

The Department of Homeland Security (DHS) is responsible for coordinating the federal government's homeland security communications with all levels of government. In support of this mission, DHS implemented, and has been enhancing, the Homeland Security Information Network (HSIN). It also has proposed a follow-on system, called Next Generation HSIN (HSIN Next Gen). GAO was asked to determine whether (1) DHS has stopped further improvements on HSIN and if so, the department's rationale for doing so and plans for acquiring its proposed follow-on system HSIN Next Gen and (2) the department is effectively managing the HSIN Next Gen acquisition. To accomplish this, GAO analyzed documentation, interviewed officials, and compared acquisition management processes and practices defined in industry best practices with those planned and underway by DHS.

DHS halted further improvements on the existing HSIN system in September 2007. Since then, the department has continued to operate and maintain the system while a replacement--HSIN Next Gen--is being planned and acquired. DHS decided in large part to pursue this replacement due to the existing system has security and information-sharing limitations that do not meet department and other users' needs, thus impeding the department's ability to effectively perform its mission; and the new system is to be a key part of a departmentwide consolidation effort to, among other things, reduce the number of systems within DHS that share sensitive but unclassified information. DHS has developed an acquisition strategy for HSIN Next Gen, whereby the system is to be implemented in four phases, each providing for an increasing number of users to be transitioned to the system. For example, DHS plans to begin transitioning existing HSIN users beginning in May 2009. Further, in May 2008, DHS issued a task order engaging a contractor to acquire, deploy, operate, and maintain the new system. The total estimated value of the task order's initial year is $19 million; the order also includes 4 option years that if exercised, are estimated to be worth $62 million. DHS intends to continue to use the existing HSIN with the goal of terminating its use in September 2009 when HSIN Next Gen is to be fully completed. DHS estimates it will cost $3.1 million to operate and maintain HSIN between now and its planned September 2009 termination. DHS is in the process of implementing key acquisition management controls for HSIN Next Gen, but has yet to implement the full set of controls essential to effectively managing information technology system projects in a rigorous and disciplined manner. Specifically, it has not fully implemented key process controls in the areas of project and acquisition planning, requirements development and management, and risk management. DHS officials, including the Office of Operations Coordination and Planning's Chief Information Officer, who is responsible for managing the project, attribute the partial implementation of these key processes in large part to the aggressive schedule for acquiring and deploying HSIN Next Gen. The Chief Information Officer also stated the department plans to address these weaknesses by, for example, tasking its contractor to assist in the development and completion of the risk management process area, but had not yet established dates for when all of these activities will be completed. Until these weaknesses are effectively addressed and DHS implements and institutionalizes the full set of acquisition management controls, the project will be at increased risk of operating in an ad hoc and chaotic manner--potentially resulting in increased project costs, delayed schedules, and performance shortfalls.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: Consistent with our recommendations, DHS decided to terminate the Homeland Security Information Network (HSIN) NextGen program. In lieu of Next Gen, DHS decided to use its existing HSIN system to provide homeland security sharing capabilities. In parallel with the latter effort, DHS has also untaken initiatives to put into place effective risk management. For example, in June 2011, the department developed a HSIN risk management plan that specifies effective risk management processes to be followed, including developing an inventory (e.g., log and register) of active risks, assigning staff responsibility for mitigating these risks, developing risk mitigation actions to be taken, and reporting on risk status and progress. As of July 2011, DHS had taken actions to implement the plan. For example, HSIN program officials maintain an active risk log and register using an automated tool (called SharePoint). These program officials also use this automated tool to track the status, progress, and disposition of risks and to develop weekly status reports for management review.

Recommendation: To minimize risks to the HSIN Next Gen project, and to strengthen management of the project, the Secretary of Homeland Security should direct the Director, Office of Operations Coordination and Planning, to strengthen program management controls by ensuring effective risk management by identifying all key risks surrounding the project and developing risk mitigation plans and completion milestones.

Agency Affected: Department of Homeland Security

Status: Closed - Implemented

Comments: Consistent with our recommendations, DHS decided to terminate the Homeland Security Information Network (HSIN) NextGen program. In lieu of Next Gen, DHS decided to use its existing HSIN system to provide homeland security sharing capabilities. In parallel with the latter effort, DHS has also undertaken initiatives to establish a requirements change control process. For example, in June 2011, the department issued a HSIN requirements management plan that calls for developing and implementing a requirements change process, including establishing a change control board to manage and oversee the process and resulting changes. DHS is in the process of establishing the board. In particular, the department has drafted a charter (dated July 2011) specifying the board's roles and responsibilities and how it is to operate. DHS plans to finalize the charter by late August 2011, at which time the board is to become operational. Until then, DHS reports that its senior leadership team is acting to oversee the process and changes to requirements.

Recommendation: To minimize risks to the HSIN Next Gen project, and to strengthen management of the project, the Secretary of Homeland Security should direct the Director, Office of Operations Coordination and Planning, to strengthen program management controls by developing and implementing a requirements change control process.

Agency Affected: Department of Homeland Security

Status: Closed - Implemented

Comments: Consistent with our recommendations, DHS decided to terminate the Homeland Security Information Network (HSIN) NextGen program. In lieu of Next Gen, DHS decided to use its existing HSIN system to provide homeland security sharing capabilities. In parallel with the latter effort, DHS has also undertaken initiatives to establish needed requirements management discipline. For example, in June 2011, the department issued a HSIN requirements management plan that specifies processes for gathering, analyzing, and validating HSIN requirements. In addition, DHS deployed an automated software tool (called SharePoint) to support the implementation of the requirements management processes. This automated tool aids program staff in, among other things, collecting, validating, analyzing requirements and tracking management approvals and related audit trail activities.

Recommendation: To minimize risks to the HSIN Next Gen project, and to strengthen management of the project, the Secretary of Homeland Security should direct the Director, Office of Operations Coordination and Planning, to strengthen program management controls by ensuring all requirements are gathered, analyzed, and validated.

Agency Affected: Department of Homeland Security

Status: Closed - Implemented

Comments: In response, DHS developed a Program Management Plan (dated February 20, 2009) which identifies staff roles and responsibilities for key Homeland Security Information Network (HSIN) program officials, such as the HSIN Program Manager and Outreach Project Manager. The plan defines not only roles for strategic management activities, but also included the specific roles and responsibilities for day-to-day operations.

Recommendation: To minimize risks to the HSIN Next Gen project, and to strengthen management of the project, the Secretary of Homeland Security should direct the Director, Office of Operations Coordination and Planning, to strengthen program management controls by identifying staff roles and responsibilities.

Agency Affected: Department of Homeland Security

Status: Closed - Implemented

Comments: Consistent with our recommendations, DHS decided to terminate the Homeland Security Information Network (HSIN) Next Gen program. In lieu of NextGen, DHS decided to use its existing HSIN system to provide homeland security sharing capabilities. According to DHS officials, the latter effort requires IT staff with different critical skills and abilities than those required on NextGen. Accordingly, these officials performed a staffing needs assessment to identify the skills, abilities, and requisite staff critical to using the existing HSIN system and are in the process of hiring 16 such staff. As of July 2011, DHS had hired six of these staff and was in the process of hiring the other ten.

Recommendation: To minimize risks to the HSIN Next Gen project, and to strengthen management of the project, the Secretary of Homeland Security should direct the Director, Office of Operations Coordination and Planning, to strengthen program management controls by staffing the program office appropriately.

Agency Affected: Department of Homeland Security

Status: Closed - Implemented

Comments: Consistent with our recommendations, DHS decided to terminate the Homeland Security Information Network (HSIN) NextGen program. In lieu of Next Gen, DHS decided to use its existing HSIN system to provide homeland security sharing capabilities. As discussed above, the department has also initiated efforts to develop and implement program management controls recommended in our report.

Recommendation: The Secretary of Homeland Security should ensure that these controls are implemented before the department starts to migrate users to HSIN Next Gen's Initial Operational Capability.